Data Access with the Run As Service Account
When Windows Authentication is configured, the Run As service account requires read and query permissions to the databases that are accessed by Tableau Server. As designed, Run As service account permissions result in access to the same databases by Tableau Server users with the Creator role or the Explorer (Can Publish) role. Users with these roles can access and view the databases with the same level of access as the Run As service account when connecting to the databases using Windows Authentication option on Tableau Server.
For example, a user with the Creator role can view all databases that have been granted access to the Run As service account.
If the Creator-user specifies the database host name and selects Windows Authentication when creating a new data source from a web browser, then the user will be able to view the databases that have been permissioned for the Run As service account.
View access to database assets are not restricted to users who connect to Tableau Server with a web browser. Sophisticated users, who have the same roles noted above and who have knowledge of database server names, can also craft workbooks with Tableau Desktop that can view the databases that have been permissioned for the Run As service account.
The functionality described here is universal for all data sources that are accessed by the Run As service account, regardless of how users authenticate with Tableau Server. For example, even if users authenticate to Tableau Server with Kerberos or SAML, their access to all Run As-configured data sources will be the same. Users with Creator or Explorer (Can Publish) are able to access all data that is permissioned for the Run As service account.
Recommendations
Whether user access to databases in these scenarios is acceptable must be assessed by your organisation. Generally, reducing the usage and scope of the Run As service account will reduce the likelihood of inadvertent user access to database content. However, reducing the usage and scope of the Run As service account may also impose more credential management to you and your users.
Evaluate the following recommendations in context of your business needs and data access policies.
- Firstly, be sure that you trust all users who have Creator roles or Explorer (Can Publish) roles. You will rely on these users to perform actions in Tableau with integrity.
- If you cannot trust all of your users who have publishing rights on data sources that are accessed by the Run As service account, then you should consider embedding credentials for those data sources.
- If a data source is not set up for automated extract refreshes, that is, the data source is primarily accessed as a live connection, then you may be able to use Kerberos Delegation. For requirements, see Enable Kerberos Delegation.